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Orange & Chari 

Patent & Trademark Agents 

John R.S. Orange 

Direct Dial: (416) 601-8446 

iorange@orpat.com 

BY REGISTERED MAIL & COURIER 

November 26, 2002 

Our File: 00001-0436 

MinghuaQu 
5495 Middlebury Drive 
Mississauga ON 
L5M 5G7 

Dear Minghua: 

Re: United States Patent Application No. 10/092,972 

For: Key Agreement & Transport Protocol 

Applicant: VANSTONE et al. 

Further to our conversation with you on November 11, 2002, regarding the signature of the 
Declaration and Pov^er of Attorney documents, we have filed a petition to the Patent Office to 
allow the application to proceed. In the petition, we outlined the attempts we made to obtain your 
signature. 

To avoid the necessity of relying on this procedure in the US Patent Office we would ask you to 
reconsider signing the documents. If you wish to I will explain the documents to you or to a 
person designated by you and the procedure to be followed if we do not obtain your signature. 
Therefore, I am enclosing a copy of the Application, a Declaration and Power of Attorney 
document for your signature. For your convenience, we have enclosed a pre-addressed envelope 
for returning the documents to us C.O.D. Should you decide not to sign these documents, please 
let us know by fax or mail. 

This request is made pursuant to the Assignment of parent case US Application No. 08/426,090 
that you executed on June 20, 1995 wherein you agreed to execute any and all required 
documentation for pursuing patent protection for the related technology. 

We will of course reimburse you for any out of pocket expenses associated with responding to 
this letter. 

Please feel free to call me if you have any questions. 
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Suite 4900; P.O. Box 190 

Toronto Dominion Bank Tower, 66 Wellington Street West 
Toronto, Ontario M5K 1 H6, Canada 
Tel: (416)601-8440 Fax: (416)601-8454 



Quality Assured Firm -!S0 9001:2000 



Yours very truly, 
Orange & Chari 




John R.S. Orahge 
JRO/AS/mh \ 
End. 
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Declaration and Power of Attorney For Patent Application 

English Language Declaration 

RECEIVED 

As a below named inventor, I hereby declare that: f^j^^ 2 o 2003 

My residence, post office address and citizenship are as stated below next to my naQj^jQ^ Qp PE7]7f()|^g 

I believe I am the original, first and sole inventor (if only one name is listed below) or an original, 
first and joint inventor (if plural names are listed below) of the subject matter which is claimed and for 
which a patent is sought on the invention entitled 

KEY AGREEMENT & TRANSPORT PROTOCOL 

the specification of which 

(check one) 

□ is attached hereto. 

IS was filed on March 8, 2002 as United States Application No. or PCT International 

Application Number 10/092,972 



and was amended on 



(if applicable) 



I hereby state that I have reviewed and understand the contents of the above identified specification, 
including the claims, as amended by any amendment referred to above. 

I acknowledge the duty to disclose to the United States Patent and Trademark Office all infomnation 
known to me to be material to patentability as defined in Title 37, Code of Federal Regulations, 
Section 1.56. 

I hereby claim foreign priority benefits under Title 35. United States Code, Section 119(a)-(d) or 
Section 365(b) of any foreign application(s) for patent or inventor's certificate, or Section 365(a) of 
any PCT International application which designated at least one country other than the United States, 
listed below and have also identified below, by checking the box, any foreign application for patent or 
inventor's certificate or PCT International application having a filing date before that of the application 
on which priority is claimed. 

Prior Foreign Application(s) Priority Not Claimed 



□ 

(Number) (Country) (Day/MonthA'ear Filed) 
□ 



(Number) (Country) (Day/MonthA'ear Filed) 
□ 



(Number) (Country) (Day/MonthA^ear Filed) 
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-I hereby claim the benefit under 35 U.S.C. Section 119(e) of any United States provisional 
. -application(s) listed below: 



(Application Serial No.) 


(Filing Date) 


(Application Serial No.) 


(Filing Date) 


(Application Serial No.) 


(Filing Date) 



I hereby claim the benefit under 35 U. S. C. Section 120 of any United States application(s),.or 
Section 365(c) of any PCT International application designating the United States, listed below and, 
insofar as the subject matter of each of the claims of this application is not disclosed in the prior 
United States or PCT International application in the manner provided by the first paragraph of 35 
U.S.C. Section 112. I acknowledge the duty to disclose to the United States Patent and Trademark 
Office all information known to me to be material to patentability as defined in Title 37, C, F. R., 
Section 1 .56 which became available between the filing date of the prior application and the national 
or PCT International filing date of this application: 



08/426,090 April 21, 1995 



(Application Serial No.) 


(Filing Date) 


(Status) 




(patented, pending, abandoned) 


(Application Serial No.) 


(Filing Date) 


(Status) 




(patented, pending, abandoned) 


(Application Serial No.) 


(Filing Date) 


(Status) 




(patented, pending, abandoned) 



I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be true; and further that these statements 
were made with the knowledge that willful false statements and the like so made are punishable by 
fine or imprisonment, or both, under Section 1001 of Title 18 of the United States Code and that such 
willful false statements may jeopardize the validity of the application or any patent issued thereon. 
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"POWER OF ATTORNEY: As a named inventor, I hereby appoint the following attorney(s) and/or 
agent(s) to prosecute this application and transact all business in the Patent and Trademark Office 
connected therewith, (list name and registration number) 
Orange & Chari (Customer No, 27155) 



Send Correspondence to: J^*^" Orange 

Orange & Chari 

Suite 4900, P.O. Box 190 

Toronto, Ontario M5K 1H6, CANADA 



Direct Telephone Calls to: (name and telephone number) 
John R.S. Orange (416) 601-8440 




Full name of sole or first inventor 
VANSTONE, Scott A. 



Residence 

10140 Pineview Trail, P.O. Box 490, Campbellville, Ontario LOP IBO, CANADA 



Citizenship 
Canadian 



Post Office Address 
Same As Above 



Full name of second inventor, if any 
MENEZES, Alfred J. 



Second inventor's signature 



Date 



Residence 

1302-2267 Lakeshore Blvd. West, Toronto, Ontario M8V 3X2, CANADA 



Citizenship 
Canadian 



Post Office Address 
Same As Above 
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Full name of third inventor, if any 




QU, Minghua 




Third inventor's signature 


Date 


Residence 




5495 Middlebury Drive, Mississauga, Ontario LSM 5G7 CANADA 




Citizenship 




Indian 




Post Office Address 




Same As Above 







Full name of fourth inventor, if any 
STRUIK, Rene 



Fourth Inventor's signature ^^^^ 



Residence 

34 Northumberland St., Toronto, Ontario M6H IRl, CANADA 



Citizenship 
Dutch 



Post Office Address 
Same As Above 



Full name of fifth Inventor, if any 



Fifth inventor's signature Date 



Residence 



Citizenship 



Post Office Address 



Full name of sixth inventor, if any 



Sixth inventor's signature Date 



Residence 



Citizenship 



Post Office Address 
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Patent and Trademaric OfficeHI.S. DEPARTMENT OF COMMERCE 



CANADA 

PROVINCE OF ONTARIO 

TO WIT: 



TO ALL WHOM THESE PRESENTS 
MAY COME, BE SEEN OR KNOWN 



I, DAVID GORDON ALLSEBROOK, a Notary Public in and for 
the Province of Ontario, by Royal Authority duly appointed, 
residing at the City of Toronto in said Province, DO CERTIFY AND 
ATTEST that the paper-writing hereto annexed is a true copy of a 
document produced and shown to me and purporting to be a copy of 
an Assignment from Scott Vanstone, Alfred John Menezes and 
Minghua Qu to Cryptech Systems Inc. dated June 19, 1995, the said 
copy having been compared by me with the said original 
Assignment, an act whereof being requested I have granted under 
my Notarial Form and Seal of Office to serve and avail as 
occasion shall or may require. 

IN TESTIMONY WHEREOF I have hereto subscribed my name 
and affixed my Notarial Seal of Office at Toronto this / / ^ day . 
of April, 1996 



DAVID GORDON ALLSEBROOK 



ASSIGNMENT 



TO WHOM IT MAY CONCERN: 

For the sum of One Dollar and other valuable consideration to us in hand paid/receipt 
of which is hereby acknowledged, be it known that we, Scott Vanstone of 539 Sandbrook 
Coun, Waterloo, Ontario, N2T 2H4, Canada; Alfred John Menezes of 254 Payne Street, 
Auburn, Alabama 36830 and Mingua Qu of 157 University Avenue West, #112, Waterloo, 
Ontario, N2L 3E5, Canada, have sold, assigned and transferred and by these presents do sell, 
assign, transfer and set over unto Cryptech Systems Inc., a ./- Ontario corporation, 
with a place of business at 200 Madieson Boulevard West, Mississauga, Ontario, L5R 3L7, 
Canada, its successors, legal representatives, or assigns, the whole right, title and interest in 
and to a certain invention relating to an KEY AGREEMENT AND TRANSPORT 
PROTOCOL by us devised and the application for United States Patent therefor executed by 
us and filed in the United States Patent and Trademark Office on April 21, 1995, Serial 
No. 08/426,090, and all original and reissue patems granted thereof, and all divisions and 
continuations thereof, including the subject matter of any and all claims which may be 
obtained in every such patent, and all foreign rights to said invention, and covenant that we 
have full right to do so, and agree that we will communicate to said corporation or its 
representatives all facts known to us respecting said invention, whenever requested, and testify 
in any legal proceedings, sign all lawful papers, make all rightful oaths and generally do 



\rose\cl ientXsiirtncbS.ass 



everything possible to aid said corporation, it successors, assigns, and nominees, to obtain and 
enforce proper patent protection for said invention in all countries. 

The Commissioner of Patents and Trademarks is requested to issue the Letters Patent 
which may be granted for said invention or any part thereof unto the said corporation in 
keeping with this Assignment. 



Date: j //y^^a y^y'.^^" 



Scott Vanstone 



Date: / Jov\^ \ q , j QQS 



Date: v Tia/v^-C - (<^9«r 



(WITNESS) 



Alfred John Meiiezes 




(WITNESS) 



Mtngtia Qu 



^1 - (^'^t:-'. 

(WITNESS) 
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1 KEY AGREEMENT AND TRANSPORT PROTOCOL 

2 This application is a continuation-in-part of United States Application 

3 No. 08/426,090. 

4 The present invention relates to key agreement protocols for transfer and 

5 authentication of encryption keys. 

6 To retain privacy during the exchange of information it is well known 

7 to encrypt data using a key. The key must be chosen so that the correspondents are 

8 able to encrypt and decrypt messages but such that an interceptor cannot determine the 

9 contents of the message. 

10 In a secret key cryptographic protocol, the correspondents share a 

11 common key that is secret to them. This requires the key to be agreed upon between 

12 the correspondents and for provision to be made to maintain the secrecy of the key 

13 and provide for change of the key should the underlying security be compromised. 

14 Public key cryptographic protocols were first proposed in 1976 by 

15 Diffie-Hellman and utilized a public key made available to all potential 

16 correspondents and a private key known only to the intended recipient. The public 

17 and private keys are related such that a message encrypted with the public key of a 

18 recipient can be readily decrypted with the private key but the private key cannot be 

19 derived from the knowledge of the plaintext, ciphertext and public key.. 

2 0 Key establishment is the process by which two (or more) parties 

21 establish a shared secret key, called the session key. The session key is subsequently 

2 2 used to achieve some cryptographic goal, such as privacy. There are two kinds of key 

23 agreement protocol; key transport protocols in which a key is created by one party and 

24 securely transmitted to the second party; and key agreement protocols, in which both 

25 parties contribute information which jointly establish the shared secret key. The 

2 6 number of message exchanges required between the parties is called the number of 

2 7 passes. A key establishment protocol is said to provide implicit key authentication (or 

2 a simply key authentication) if one party is assured that no other party aside from a 

2 9 specially identified second party may learn the value of the session key. The property 

3 0 of implicit key authentication does not necessarily mean that the second party actually 
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1 possesses the session key. A key establishment protocol is said to provide key 

2 confirmation if one party is assured that a specially identified second party actually 

3 has possession of a particular session key. If the authentication is provided to both 

4 parties involved in the protocol, then the key authentication is said to be mutual if 

5 provided to only one party, the authentication is said to be unilateral. 

6 There are various prior proposals which claim to provide implicit key 

7 authentication. 

8 Examples include the Nyberg-Rueppel one-pass protocol and the 

9 Matsumoto-Takashima-Imai (MTI) and the Goss and Yacobi two-pass protocols for 

10 key agreement. 

11 The prior proposals ensure that transmissions between correspondents 

12 to establish a common key are secure and that an interloper cannot retrieve the session 

13 key and decrypt the ciphertext. In this way security for sensitive transactions such as 

14 transfer of funds is provided. 

15 For example, the MTI/ AO key agreement protocol establishes a shared 

16 secret K, known to the two correspondents, in the following maimer: - 

17 1 . During initial, one-time setup, key generation and publication is 

18 undertaken^by sheeting and publishing an appropriate system prime p and generator 

19 in a maimer guaranteeing authenticity. Correspondent A selects as a long-term private 
2 0 key a random integer "a",l<a<p-2, and computes a long-term public key za = mod 

21 p. B generates analogous keys b, ZB. A and B have access to authenticated copies of 

22 each other's long-term public key. 



23 2. The protocol requires the exchange of the following messages. 

24 A-^Bia^'modpCl) 

25 A<-B: aymodp(2) 

26 The values of x and y remain secure during such transmissions as it is 

27 impractical to determine the exponent even when the value of a and the 

28 exponentiation is known provided of course that p is chosen sufficiently large. 

2 9 3. To implement the protocol the following steps are performed each time 

30 a shared key is required. 



1 (a) A chooses a random integer x,r<x<p-2, and sends B message 

2 (1) i.e. mod p. 

3 (b) B chooses a random integer y,l<y<p-2, and sends A message 

4 (2) i.e: oy mod p. 

5 (c) A computes the key K = (^^Yzb^ mod p. 

6 (d) B computes the key K = (P'^i^ZA^ mod p. 

7 (e) Both share the key K - o}'''^^^ 

8 

9 In order to compute the key K, A must use his secret key a and the 



10 random integer x, both of which are known only to him. Similarly B must use her 

11 secret key b and random integer y to compute the session key K. Provided the secret 

12 keys a,b remain uncompromised, an interloper cannot generate a session key identical 

13 to the other correspondent. Accordingly, any ciphertext will not be decipherable by 

14 both correspondents, 

15 As such this and related protocols have been considered satisfactory for 

16 key establishment and resistant to conventional eavesdropping or man-in-the-middle 

17 attacks. 

18 In some circumstances it may be advantageous for an adversary to 

19 mislead one correspondent as to the true identity of the other correspondent. 

2 0 In such an attack an active adversary or interloper E modifies messages 

21 exchanged between A and B, with the result that B believes that he shares a key K 

22 with E while A believes that she shares the same key K with B. Even though E does 

23 not learn the value of K the misinformation as to the identity of the correspondents 

24 may be useful. 

25 A practical scenario where such an attack may be launched 

26 successfully is the following. Suppose that B is a bank branch and A is an account 

27 holder. Certificates are issued by the bank headquarters and within the certificate is 

28 the account information of the holder. Suppose that the protocol for electronic deposit 
2 9 of funds is to exchange a key with a bank branch via a mutually authenticated key 

30 agreement. Once B has authenticated the transmitting entity, encrypted funds are 




1 deposited to the account number in the certificate. If no further authentication is done 

2 in the encrypted deposit message (which might be the case to save bandwidth) then 

3 the deposit will be made to E*s account. 

4 It is therefore an object of the present invention to provide a protocol in 

5 which the above disadvantages are obviated or mitigated. 

6 According therefore to the present invention there is provided a method 

7 of authenticating a pair of correspondents A,B to permit exchange of information 

8 therebetween, each of said correspondents having a respective private key a,b and a 

9 public key Pa,pb derived from a generator a and respective ones of said private keys 

10 a,b, said method including the steps of 

11 i) a first of said correspondents A selecting a first random integer x and 

12 exponentiating a function f(a) including said generator to a power g^'^^ to provide a 

13 first exponentiated function f(a)^^''^; 

14 ii) said first correspondent A forwarding to a second correspondent B a message 

15 including said first exponentiated function f(a)sW; 

16 iii) said correspondent B selecting a second random integer y and exponentiating a 

17 function f (a) including said generator to a power g^^ to provide a second 

18 exponentiated function f (a)^^^^; 

19 iv) said second correspondent B constructing a session key K from information 
2 0 made public by said first correspondent A and information that is private to said 

21 second correspondent B, said session key also being constructible by said first 

2 2 correspondent A for information made public by B and information that is private to 

23 said first correspondent A; 

24 v) said second correspondent B generating a value h of a function F[6,K] 

25 where F[5,K] denotes a cryptographic function applied conjointly to 6 and K and 

26 where 6 is a subset of the public information provided by B thereby to bind the values 

27 of 6 and K; 

2 8 vi) said second of said correspondents B forwarding a message to said first 

29 correspondent A including said second exponential function f (a)®^^^ and said value h 

3 0 of said cryptographic function F[6,K]; 
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1 vii) said first correspondent receiving said message and computing a session key 

2 K' from information made public by said second correspondent B and private to said 

3 first correspondent A; 

4 viii) said first correspondent A computing a value h' of a cryptographic function 

5 h,h' F[6,K']; and 

6 ix) comparing said values obtained from said cryptographic functions F to 

7 confirm their correspondence. 

8 As the session key K can only be generated using information that is 

9 private to either A or B, the binding of K with 6 w^ith the cryptographic function h 

10 prevents E from extracting K or interjecting a new value function that will correspond 

11 to that obtained by A. 

12 Embodiments of the invention will now be described by way of 

13 example only with reference to the accompanying drawings in which. 

14 Figure 1 is a schematic representation of a data communication system. 

15 Figures 2 through 7 are schematic representations of implementations 

16 of different protocols. 

17 Referring therefore to Figure 1, a pair of correspondents, 10,12, 

18 denoted as correspondent A and correspondent B, exchange information over a 

19 communication channel 14. A cryptographic unit 16,18 is interposed between each of 
2 0 the correspondents 10,12 and the channel 14. A key 20 is associated with each of the 

21 cryptographic units 16,18 to convert plaintext carried between each unit 16,18 and its 

22 respective correspondent 10,12 into ciphertext carried on the channel 14. 

2 3 In operation, a message generated by correspondent A, 10, is encrypted 

24 by the unit 16 with the key 20 and transmitted as ciphertext over channel 14 to the 

25 unit 18, 

2 6 The key 20 operates upon the ciphertext in the unit 18 to generate a 

27 plaintext message for the correspondent B, 12. Provided the keys 20 correspond, the 

2 8 message received by the correspondent 12 will be that sent by the correspondent 10. 

2 9 In order for the system shown in Figure 1 to operate it is necesseiry for 

3 0 the keys 20 to be identical and therefore a key agreement protocol is established that 



allows the transfer of information in a public manner to establish the identical keys. A 
number of protocols are available for such key generation and embodiments of the 
present invention will be described below in the context of modifications of existing 
protocols. 

A comnionly used set of protocols are collectively known as the 
Matsumoto-Takashima-Imai or "MTI" key agreement protocols, and are variants of 
the Diffie-Hellman key exchange. Their purpose is for parties A and B to establish a 
secret session key K. 

The system parameters for these protocols are a prime number p and a 
generator a of the multiplicative group 

. Correspondent A has private key a and public key pA = Correspondent B has 
private key b and public key pe = In all four protocols exemplified below, textA 
refers to a string of information that identifies party A. If the other correspoiident B 
possesses an authentic copy of correspondent A*s public key, then textA will contain 
A*s public-key certificate, issued by a trusted center; correspondent B can use his 
authentic copy of the trusted center's public key to verify correspondent A's certificate, 
hence obtaining an authentic copy of correspondent A's public key. 

In each example below it is assumed that an interloper E wishes to 
have messages fi-om A identified as having originated fi-om E herself. To accomplish 
this, E selects a random integer e, l<e<p-2, computes Pe=(Pa)^^^^^ mod p, and gets 
this certified as her public key. E does not know the exponent ae, although she knows 
e. By substituting texts for textA, the correspondent B will assume that the message 
originates from E rather than A and use E's public key to generate the session key K. 
E also intercepts the message from B and uses his secret random integer e to modify 
its contents. A will then use that information to generate the same session key 
allowing A to communicate with B. 

The present invention is exemplified by modifications to 4 of the 
family of MTI protocols which foil this new attack thereby achieving the desired 
property of mutual implicit authentication. In the modified protocols exemplified 
below F(X, Y) denotes a cryptographic function applied to a string derived fi-om x and 



1 y. Typically and as exemplified a hash function, such as the NIST "Secure Hash 

2 Algorithm"(SHA-l), is applied to the string obtained by concatenating X and Y but it 

3 will be understood that other cryptographic functions may be used. 

4 Example 1 - MTI/AO protocol 

5 The existing protocol operates as follows:- 

6 1 . Correspondent A generates a random integer 

7 X, l<x<p-2, computes ct'^, and sends {a'^jtextA} to party B. 

8 2. Correspondent B generates a random integer 

9 y, l<y<p~2, computes ct^, and sends {ct^,textB} to party A. 

10 3. Correspondent A computes K = (^^ipBT = a^^*"". 

11 4. Correspondent B computes K = (a'')^(pA)^ = a^^^"". 

12 

13 A conmion key K is thus obtained. However, with this arrangement, 

14 interloper E may have messages generated by correspondent A identified as having 

15 originated from E in the following manner. 

16 1. E intercepts A's message {ct'',textA} and replaces it with {ot'^jtextE}. 

17 The provision of the message texts identifies the message as having originated at E. 

18 2. B sends {ay,textB} to E, who then forwards {(aY,textB} to A. Since A 

19 receives texts, he assumes the niessage originates at B and, as he does not know the 
2 0 value of y, assumes that ct^^ is valid information. 

21 3. A computes K = (a^')^(pB)' = o^''^^\ 

22 4. B computes K = (ct^)'^(pE/ = a^^y^^\ 

23 5. A and B now share the key K, even though B believes he shares a key 

24 with E. 

25 

2 6 Accordingly any further transactions from A to B will be considered by 

27 B to have originated at E. B will act accordingly crediting instruction to E. Even 

2 8 though the interloper E does not learn the value of the session key K nevertheless the 

2 9 assumption that the message originates at E may be valuable and achieve the desired 

3 0 effect. 
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To avoid this problem, the protocol is modified as follows:- 

1. A generates a random integer x,l<x<p-2, computes ct^, and sends 
{a^extA} to party B. 

2. B generates a random integer y,l<y<p-2, and computes ct^, K 
=(a^)*'(pA)^=a^^^*'\ and a value h of cryptographic hash function FCa^a^^^'^) which is a 
function of public information 6 and the key K. B sends {ci^,h,textB} to party A. 

3. A computes K = (a^)^(pB)'' = a^^'^^'', A also computes a value h* of 
cryptographic hash function F(a^,K) and verifies that this value is equal to h. 

If E attempts to interpose her identification, texte, the attack fails on 
the modified protocols because in each case B sends the hash value F(6,K), where 6 is 
B*s random exponential, thereby binding together the values of 6 and K. E cannot 
subsequently replace the value of d with 6^ and compute F(d^,K) since E does not 
know K. Even though E knows ct^, this is not sufficient to extract K fi-om the hash 
value h. Accordingly, even if E interposes the value ot^^ so that the keys 20 will agree, 
the values h,h' will not. 

Example 2 - MTI/BO protocol 

In this protocol, 

1 . A generates a random integer x,l<x<p-2, computes (pbY = 

bx 

sends {ct ,textA} to party B. 

2. B generates a random integer y,l<y<p-2, computes (paY = ct^^, and 
sends {ct^^,textB} to party A. 

3. A computes K= (a'''' f' a' = a''^'' 

4. B computes K= (a""' f a'' = a""^"" 

This protocol is vulnerable to the interloper E if, 

1 . E replaces As message {ct^'^jtextA} with {ct^^^.textE} to identify herself 
as the originator to the message. 

2. B sends {(pE)^textB} to E, who then computes 
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1 ((Pe / f = and forwards {a^^texte} to A. 

2 3. A computes K= (a"' f a' = a""^' 

3 4. B computes K= (a!"' f a' ^ a'^' 

4 5. A and B now share the key K, even though B believes he shares a key 

5 withE. 

6 

7 This protocol may be modified to resist E's attack as follows. 

8 1. A generates a random integer x,l<x<p-2, computes (pe)'^ = ^^^^ and 

9 sends {ct^^,textA} to party B. 

10 2. B generates a random integer y, l<x<p-2, and computes (pa)^ = 

11 K-(ot^'') ay=a^^y , and the value h of hash function B 

12 sends {a^^,h,textB} to A, 

13 3. A computes K=(a^^) ct''=ct^'^^ A also computes the value h' of hash 

14 function F (a^^, K) and verifies that this value is equal to h. 

15 Once again, E cannot determine the session key K and so cannot 

16 generate a new value of the hash function to maintain the deception. 

17 Example 3 - MTI/CO protocol 

18 This protocol operates as follows:- 

19 1 . A generates a random integer x,l<x<p-2, computes (pe)'^ = and 
2 0 sends {ct'^^jtextA} to party B. 

21 2. B generates a random integer y,l<y<p-2, computes (pa/ = and 

2 2 sends {ct^^jtexte} to party A. 

2 3 3 . A computes K = (a!"'' = a"^ 

24 4. B computes K= (a'^f'^a'' 

25 

2 6 The interloper E may interpose her identity as foUows:- 

2 7 1. E replaces A*s message {a^^,textA} with {ct''^,textE} . 

2 8 2. B sends {(pE)^,textB} to E, who then computes ((pe)^)^"^ = and 

2 9 forwards {ct^^texts} to A. 




1 3. A computes K= (a'^'^f'^a'^ 

2 4. B computes K= (^«*'/ '^ = a^ 

3 5. A and B now share the key K, even though B believes he shares a key 

4 with E. 

5 

6 To avoid this attack protocol is modified as foUows:- 

7 1 . A generates a random integer x,l<x<p-2, computes (pe)^ = and 

8 sends {a^^,textA} to party B. 

9 2. B generates a random integer y,l<y<p-2, and computes 

10 (pa)^ = ot'^ K = (a'n""''' = a'' , and value 

11 h of hash function F(a^^a''y). B sends {a^^h,textB} to party A. 

12 3. A comj^utes K = ( o?^) = a^^. A also computes the value h' of 

13 F(ct^^,K) and verifies that this value is equal to h. 
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1 Example 4 - MTI/Cl protocol 

2 In this protocol:- 

3 LA generates a random integer x,l<x<p-2, computes (psf^ = and 

4 sends {a^^'',textA} to party B. 

5 2. • B generates a random integer y,l<y<p-2, computes (pa)^^ = and 

6 sends {a^^^ texts} to party A. 

7 3. A computes K = (a^'Y = 

8 4. B computes K = (a'^'y = a^*^''^ 

9 

10 E can act as an interloper as follows:- 

11 1. E replaces A's message {ct^^^,textA} with {ct^^^,textE}. 

12 2. B sends {(pE)^^,textB} to E, who then computes ((pEf^f^ = ^^^^ and 

13 forwards {ct^^'^textB} to A. 

14 3. A computes K = (a^*'^)" = a^'^^, 

15 4. B computes K = (a^^Y = a^^^^ 

16 5. A and B now share the key K, even though B believes he shares a key 

17 with'E. 

18 

19 To avoid this, the protocol is modified as follows:- 

20 1. A generates a random integer x,l<x<p-2, computes (psT^ = and 

21 sends {ct^^^,textA} to party B. 

22 2. B generates a random integer y,l<y<p-2, and computes (pa)^^ = K 

2 3 =(a^'Y = a^'^y,and 

24 h = FCa^^'^a'^^y). B sends {a^^'^h^texta} to party A. 

25 3. A computes K = (a^^Y = A also computes 

26 h' = F(ci^*^^,K) and verifies that this value is equal to h. 

27 

28 In each of the modified protocols discussed above, key confirmation 

2 9 from B to A is provided. 

3 0 As noted above instead of F being a cryptographic hash function other 



1, functions could be used. For example, an option available is to choose 

2 F = GK, where g is the encryption function of a suitable symmetric-key encryption 

3 scheme, and K is the session key established. Because E cannot generate the session 

4 key K, it is similarly not able to generate the value of the function F and therefore 

5 cannot interpose for the correspondent A. 

6 The technique described above can be applied to other similar key 

7 exchange protocols, including all of the 3 inifinite classes of MTI protocols called 

8 MTI-A(k), MTI-B(k) and MTI-C(k). 

9 The Goss authenticated key exchange protocol is similar to the 

10 MTI/AO protocol, except that the session key is the bitwise exclusive-OR of o.^^ and 

11 a^'^; that is K = @ a*"^ instead of being the product of and a^"". Hence the attack 

12 on the MTI/AO protocol and its modification can be extended in a straightforward 

13 manner to the case of the Goss protocol. 

14 Similarly Yacobi's authenticated key exchange protocol is exactly the 

15 same as the MTI/AO protocol, except that a is an elementiofcthe group of units 

16 , where n is the product of 2 large primes. Again, the attack on the MTI/AO 

17 protocol and its modification can be extended in a straightforward manner to the case 

18 of the Goss protocol. 

19 A further way of foiling the interposition of E is to require that each 

2 0 entity prove to a trusted center that it knows the exponent of a that produces its public 

2 1 key P, before the center issues a certificate for the public key. Because E only knows 

22 "e" and not "ae" it would not meet this requirement. This can be achieved through 

2 3 zero knowledge techniques to protect the secrecy of the private keys but also requires 

24 the availability of a trusted centre which may not be convenient. 

25 Each of the above examples has been described with a 2 pass protocol 

26 for key authentication. One pass protocols also exist to establish a key between 

27 correspondents and may be similarly vulnerable. 

2 8 As an example the Nyberg-Rueppel one pass key agreement protocol 

2 9 will be described and a modification proposed. 

30 The purpose of this protocol is for party A and party B to agree upon a 

12 



1 secret session key K. 

2 The system parameters for these protocols are a prime number p and a 

3 generator a of the multiplicative group GC^ 'Z^p . User A has private key a and public 

4 keypA = ot^. User B has private key b and pubHc key pB = 

5 LA selects random integers x and t, l<x,t<p-2. 

.6 2. B recovers the value ^ mod p by computing ^ (pa/ mod p and then 

7 computes the shared session key K=(r ctx)* ' = ^ mod p. 

9 If interloper E wishes to have messages from A identified as having 

10 originated from herself, E selects a random integer e, l<e<p-2, computes pe = and 

11 gets this certified as her public key. 

12 1 . E intercepts A*s message {r,s,textA} and computes ^ = ^^(paY and ct^^ 

13 = ra\ 

14 2. E then selects a random integer x*, l<x*<p-2, computes r'=abt a 

15 mod p and s -x'-r'e mod (p-1). 

16 3. E sends {r',s',textE} to B. 

17 4. B recovers the value mod p by computing ct^ (pe/ mod p and then 

18 computes K = (r* ) -a! mod p. 

19 5. A and B now share the key K, even though B believes he shares a key 

20 withE. 

21 

22 To foil such an attack the protocol is modified by requiring A to also 

23 transmit a value h of F(pA,K), where F is a hash function, an encryption function of a 

24 symmetric-key system with key K or other suitable cryptographic function. The 
2 5 modified protocol is the following. 

26 1. A selects random integers x and t, l<x,t<p-2. 

27 2. A computes r = (pB)^ct'^ mod p, s = x - ra mod 

2 8 (p-l), session key K = ct^ mod p and the value h of hash function 

29 F(pa,K). a sends {r,s,h,textA} to B. 

13 



1 3. B recovers the value ct^ mod p by computing ^^(paY mod p and then 

2 computes the shared session key K=(rct'') ^ = mod p. B also 

3 computes the value h* of function F(pA,K) and verifies that this value is 

4 equal to h. 

5 Again therefore by binding together the public information n and the 

6 session key K in the hash function, the interposition of E will not result in identical 

7 hash functions h,h'. 

8 In each case it can be seen that a relatively simple modification to the 

9 protocols involving the binding of public and private information in a cryptographic 

10 function foils the interposition of interloper E. 

11 All the protocols discussed above have been described in the setting of 



12 the multiplicative group . However, they can all be easily modified to work in 

13 any finite group in which the discrete logarithm problem appears intractable. Suitable 

14 choices include the multiplicative group of a finite field (in particular the finite field 

15 GF(2"), subgroups of ae of order q, and the group of points on an elliptic curve 

16 defined over a finite field. In each case an appropriate generator a will be used to 

17 define the public keys. 

18 The protocols discussed above can also be modified in a 

19 straightforward way to handle the situation when-each user picks their own system 

2 0 parameters p and a (or analogous parameters if a group other than Z ^ is used). 

21 Further implementations are shown schematically in figures 2 through 7. A 

22 different notation is utilized but it will be understood that this notation may be 

23 mapped to that of the previous embodiments. 

24 

2 5 Referring to figure 2, a mutual public key authenticated key agreement protocol is 

2 6 complemented between a correspondent A shown on the left hand side of the figure 

2 7 and a correspondent B shown on the right hand side. Correspondent A has a public- 

2 8 private key pair Pa,Sa respectively and similarly correspondent B has a public private 
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1 Key pair Pb,Sb. 

2 

3 As a first step, correspondent A generates a session private key as a random number 

4 RNDa and computes a corresponding public session key Ga =Fa (RNDa). The 

5 function Fa is a cryptographic one way function, typically an exponention by the 

6 group generator, such as a point multiplication in an elliptic curve cryptosystem. 

7 

8 The public session key Ga is forwarded to correspondent B who generates* 

9 corresponding parameters of a session private key RNDb and the exponent Ge. 

10 

11 The correspondent B computes a session key K as a function of A's public 

12 information Ga,Pa AND B's private information RNDb,Sb. A corresponding key K' 

13 can be computed by A using the private information of A and the public information 

14 of B namely f(RNDA,GB,SA,PB). 

15 

16 After correspondent B has generated the key K, he compiles a string (GA/ZGa/ZIdA) 

17 where Ma is a string that identifies A. The concatenated string is hashed with a 

18 cryptographic function hk which is a keyed hash function that uses the key K to yield a 

19 siring hashs, 

20 

2 1 The string hashs is forwarded to correspondent A together with Ma and Gb. 

22 

2 3 Upon receipt of the message fi-om B, correspondent A computes the key K' as 

24 described above. Correspondent A also computes a hash, hashveri/ya from the string 

2 5 (Gb//Ga//Ma) using the hash function keyed by the key K'. correspondent A checks 

2 6 that the hashes verify to confirm the identity of the keys K,K'. 

27 . . 

2 8 Correspondent A then computes a hash hK using the key K on the string (GAZ/Gs/ZIdB) 

2 9 and forwards that together with Mb correspondent B. Correspondent B similarly 

3 0 computes a hashverifyA using the keyed hash function hK on the same string and 
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1 verifies that hashA =hashveriJyA. 

2 

3 A similar protocol is shown in figure 3 to implement a mutual symmetric key 

4 authentication protocol. In this protocol the correspondents share a key K obtained 

5 over a secure channel. The correspondents A.B, each generate a random integer which 

6 is used as the session public key of A and B respectively. Thereafter the exchange of 

7 information and verification proceeds as above with respect to figure 2 with the 

8 shared secret key being utilised in the keyed hash fimctions. 

9 

10 A full mutual public key authenticated protocol is shown in figure 4. An initial 

11 exchange of the public keys Pa,Pb is performed over an authenticated channel 

12 followed by the exchange of information as shown in the protocol of figure 4. In this 

13 case the correspondent A sends Ga computed as described above with respect to 

14 figure 2, together with a string X2 that A wants confirmation of receipt by B. 

15 Correspondent B computes the key K as in figure 2 and also generates a pair of strings 

16 yi,y2 which B wants to have authenticated by A and receipt confirmed by A 

17 respectively. The strings are sent to A with the hash hasha and identity IdA..The hash 

18 hasha is performed on a string including the message xi and the string yi wants 

19 authenticated. 

20 

2 1 Correspondent A computes the key K and verifies the hash as before. This also 

22 confirms receipt of X2 by B. 

23 

24 Correspondent A in turn generates strings zi,Z2 where z\ is a string that A wants 

25 authenticated by B and Z2 is a string that may be used in a subsequent stage of the 

26 protocol described below. The strings, zi and y2 together with the identifying 

27 information of B, Ids, are included in the string that is hashed with the key K to 

2 8 provide the string hashA. this is sent together with the identitiy of B and the strings 

2 9 2i,Z2 to the correspondent B who can verify the hashes as before, thereby confirming 

30 receipt of y2 and authenticating zi. 
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2 Thus the exchange of information is exchanged in an authenticated manner and a 

3 common key obtained that allows subsequent exchange of correspondence on a secure 

4 channel. 

5 

6 With the protocol described in figure 4 it is possible to implement a mutual public key 

7 authenticated key agreement protocol by letting the strings X2,yi,y2,zi,Z2 all be empty 

8 strings. Alternatively, a mutual public key authenticated key agreement protocol with 

9 key transport can be implemented by using X2 as a string that is assumed to represent 

10 EK(k). Correspondent B can compute the value of K and hence retrieve the notional 

11 value pf k from the string. He can use this as his CRP,. The values of yi may be used 

12 to represent EK(k2i) and zi as EK(ki2) where k2i and ki2 are different keys for 

.13 communication or other secret information to be shared between the correspondents. 

14 In this case yi and Z2 are empty strings. In this way there is a key agreement on a 

15 shared key Kab together with authenticated key transport of the keys k2i and 

16 ki2between the correspondents. Moreover, if additional information is provided in the 

17 X2 and y2 then confirmation of proper receipt is also obtained. 

18 

19 The protocol of figure 4 may also be used to increase efficiency in successive sessions 

2 0 by using the string Z2 to pass the information exchanged in the first pass of the next 

21 session. Thus as shown in figure 5, the string Ga,X2 is sent as Z2 in the previous 

2 2 session. The protocol then proceeds from correspondent B as before. Correspondent B 

23 may also take advantage of this facility by including the information GB,yi for the next 

24 session in the exchange as y2. 

25 

26 The mutual public key authenticated key agreement protocol may also be adapted for 

27 symmetric key implementations as shown in figure 6. In this case, as in figure 3 

2 8 above, the key generation is omitted as the correspondents have a shared key obtained 

2 9 over a secure channel. 

30 
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Similarly, the protocol of figure 6 may be modified as illustrated in figure 7 to take 
advantage of the exchange of information in a previous session, similar to that of 
.figure 5. 

It will be seen therefore that a number of versatile and flexible protocols can be 
developed from the general protocol to meet particular needs. These protocols may 
implement elliptic curve cryptography or operate in Zp as preferred. 
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1 WE CLAIM 

2 

3 1 . A method of authenticating a pair of correspondents A,B to permit 

4 exchange of information therebetween, each of said correspondents having a 

5 respective private key a,b and a public key pa,Pb derived from a generator a and 

6 respective ones of said private keys a,b, said method including the steps of 

7 i) a first of said correspondents A selecting a first random integer x and 

8 exponentiating a function f(a) including said generator to a power g^^^ to provide a 

9 first exponentiated function f(a)^^^^; 

10 ii) said first correspondent A forwarding to a second correspondent B a message 

11 including said first exponentiated function f(a)s('^^; 

12 iii) said correspondent B selecting a second random integer y and exponentiating a 

13 function f (a) including said generator to a power g^^^ to provide a second 

14 exponentiated function f (a)^^^^; 

15 iv) said second correspondent B constructing a session key K from information 

16 made public by said first correspondent A and information that is private to said 

17 second correspondent B, said session key K also being constructible by said first 

18 correspondent A for information made public by B and information that is private to 

19 said first correspondent A; 

20 v) said second correspondent B generating a value h of a function F[6,K] 

21 where F[6,K] denotes a cryptographic function applied conjointly to 6 and K and 

22 where 6 is a subset of the public information provided by B thereby to bind the values 

23 of 6 and K; 

24 vi) said second of said correspondents B forwarding a message to said first 

2 5 correspondent A including said second exponential function f (a)^^^^ and said value h 

26 of said cryptographic function F[d,K]; 

27 vii) said first correspondent receiving said message and computing a session key 

28 K' from information made public by said second correspondent B and private to said 

2 9 first correspondent A; 

3 0 viii) said first correspondent A computing a value h* of a cryptographic function 
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1 F[6,K'];and 

2 ix) comparing said values obtained from said cryptographic functions F to 

3 confirm their correspondence. 

4 

5 2. A method of claim 1 wherein said message forwarded by said first 

6 correspondent includes an identification of the first correspondent. 

7 

8 3. A method according to claim 1 wherein said message forwarded by 

9 said second correspondent includes an identification of said second correspondent. 

10 

11 4. A method according to claim 3 wherein said message forwarded by 

12 said first correspondent includes an identification of the first correspondent. 

13 

14 5. A method according to claim 1 wherein said first fimction f(a) 

15 including said generator is said generator itself. 

16 

17 6. A method according to claim 1 wherein said second fiinction f (ct) 

18 including said generator is said generator itself. 

19 

2 0 7. A method according to claim 6 wherein said first fimction f(ct) 

2 1 including said generator is said generator itself. 

22 

23 8. A method according to claim 1 wherein said first fianction including 

24 said generator f(a) includes said public key pe of said second correspondent. 

25 

26 9. A method according to claim 1 wherein said second fiinction including 

27 said generator fa includes said public key p^ of said first correspondent. 

28 

29 10. A method according to claim 1 wherein said cryptographic fiinctions F 

30 are hashes of 6 and K. 
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1 

2 1 1 . A method of transporting a key between a pair of correspondents A,B 

3 to permit exchange of information therebetween, each of said correspondents having a 

4 respective private key a,b and a public key Pa,Pb derived from a generator a and 

5 respective ones of said private keys a,b, said method including the steps of 

6 i) a first of said correspondents A selecting a first random integer x and 

7 exponentiating a function f(a) including said generator to a power g^'^^ to provide a 

8 first exponentiated function f(a)^^^^; 

9 ii) said first correspondent A forwarding to a second correspondent B a message 

10 including said first exponentiated function f(a)s<^^; 

11 iii) said second correspondent B constructing a session key K fi*om information 

12 made public by said first correspondent A and information that is private to said 

13 second correspondent B, said session key K also being constructible by said first 

14 correspondent A firom information made public by B and information that is private to 

15 said first correspondent A; 

16 iv) both of said first correspondent A and said second correspondents B 

17 computing a respective value h,h' of fimction F[d,K] where F[d,K] denotes a 

18 cryptographic fimction applied to 5 and K and where 6 is a subset of the public 

19 information provided by one of said correspondents; 

2 0 v) at least one of said correspondents comparing said values h,h' obtained fi:*om 

2 1 said cryptographic function F to confirm their correspondence; 

22 

2 3 12. A method of claim 1 1 wherein said message forwarded by said first 

24 correspondent includes an identification of the first correspondent. 

25 

2 6 13. A method according to claim 1 1 wherein said message forwarded by 

2 7 said first correspondent includes said value obtained from said cryptographic fimction 

2 8 by said first correspondent. 

29 

3 0 14. A method according to claim 1 1 wherein said values obtained fi-om 
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1 said cryptographic functions are obtained from a hash of said public information and 

2 said session key K. 

3 

4 15. A method according to claim 1 1 wherein said first correspondent 

5 selects a pair of random integers x and t and generates a session keyKas and 

6 generates a value r from said first exponentiated function f(a)s<^^ which includes a 

7 factor exponentiating said public key pe of said second correspondent B with said 

8 random integer t to be of the form pe'^^^^ct^^''^ 

9 

10 16. A method according to claim 15 wherein said first correspondent A 

11 generates a value s from a combination of said random integer x and said private key a 

12 and forwards said value of r and said value of s to said second correspondent B to 

13 permit said second correspondent B to recover said session key K using the private 

14 key b of said second correspondent B. 

15 

16 17. A method according to claim 16 wherein said random integer x and 

17 said private key a are combined to produce s such that s=x-ra mod (p-1). 

18 

19 18. A method according to claim 1 7 wherein said cryptographic fimction F 

2 0 is a hash of said public information 6 and said session key K. 

21 

22 19. A method according to claim 18 wherein said public information 6 is 

23 the public key pa of said first correspondent A. 
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ABSTRACT 



2 



3 



A key establishment protocol includes the generation of a value of 



4 cryptographic function, typically a hash, of a session key and public information. This 

5 value is transferred between correspondents together with the information necessary to 

6 generate the session key. Provided the session key has not been compromised, the 

7 value of the cryptographic function will be the same at each of the correspondents. 

8 The value of the cryptographic function cannot be compromised or modified without 

9 access to the session key. 

10 

11 
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